Tunnels & Remote Access
Tunnels provide secure access to hosts without a direct network connection. The connection is encrypted and routed through WebSocket -- no VPN required.
How It Works
┌──────────┐ WebSocket ┌──────────┐ WebSocket ┌──────────┐
│ Your PC │ ──────────────────▶│ Backend │◀────────────────── │ Agent │
│ (Browser)│ Port 20000-25000 │ (Server) │ Heartbeat Chan. │ (Host) │
└──────────┘ └──────────┘ └──────────┘- You create a tunnel in the frontend
- The backend opens a local port (20000-25000)
- The agent on the target host establishes the connection to the target service
- Data is forwarded encrypted through WebSocket
- You connect to
backend-IP:assigned-port
Creating a Tunnel
Via the Tunnel View
- Navigate to the desired module (e.g., OPNsense)
- Select the Tunnels tab
- Click Add Tunnel
- Configure the tunnel:
| Field | Description |
|---|---|
| Host | Target host from the list |
| Template | Predefined configuration (SSH, RDP, etc.) |
| Target Port | Port on the target host |
| Description | Optional description |
Via the Context Menu
- Right-click on a host in the table
- Select Start Tunnel
- Choose a template or configure manually
Via the Detail Modal
Tunnels can also be started from the detail modal of a host.
Tunnel Templates
Each module provides specific templates:
General (all modules)
| Template | Port | Usage |
|---|---|---|
| SSH | 22 | Secure Shell |
| Agent SSH | 22 | SSH via agent tunnel |
| HTTP | 80 | Web server |
| HTTPS | 443 | Encrypted web server |
| VNC | 5900 | Virtual Network Computing |
| Custom | Any | Any service |
OPNsense-Specific
| Template | Port | Usage |
|---|---|---|
| OPNsense WebUI | 443 | Firewall management |
Proxmox VE-Specific
| Template | Port | Usage |
|---|---|---|
| PVE Web UI | 8006 | PVE management |
Proxmox BS-Specific
| Template | Port | Usage |
|---|---|---|
| PBS Web UI | 8007 | PBS management |
Windows-Specific
| Template | Port | Usage |
|---|---|---|
| RDP | 3389 | Remote Desktop |
| WinRM HTTP | 5985 | Windows Remote Management |
| WinRM HTTPS | 5986 | Windows Remote Management (SSL) |
| SMB | 445 | File shares |
Managing Tunnels
Active Tunnels
The tunnel view displays all active tunnels with:
- Host and target port
- Assigned local port
- Connection status
- Creation time
Closing a Tunnel
Click the X icon next to an active tunnel to close it. The local port will be released.
Establishing a Connection
After creating a tunnel, the connection address is displayed:
backend-IP:assigned-portExample: 10.100.0.17:20042
Copy this address and use it in your client:
- SSH:
ssh user@10.100.0.17 -p 20042 - RDP: Open
10.100.0.17:20042in your RDP client - HTTP: Open
http://10.100.0.17:20042in your browser
Agent SSH Tunnel
The Agent SSH tunnel is a special tunnel type. The agent provides an embedded SSH server, enabling SSH access even when no SSH service is running on the target host.
When to Use Agent SSH
- The target host has no SSH server installed
- You need a dedicated SSH connection through the agent
- The regular SSH port is blocked
Security
- All tunnel data is transmitted encrypted via WebSocket
- Tunnels are bound to the authenticated user
- Each tunnel receives a random port from the range 20000-25000
- Inactive tunnels are automatically closed after a timeout
- Tunnel access requires the corresponding module permission (e.g.,
opnsense.tunnels)